#ParsedReport
16-12-2022

Agenda Ransomware Uses Rust to Target More Vital Industries

https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html

Actors/Campaigns:
Earth_preta

Threats:
Blackcat
Ransomexx
Ransom.win32.agenda.thiafbb
Ransom.win32.agenda.thiahbb

Industry:
Education, Healthcare, Government

Geo:
Thailand, Indonesia

IOCs:
Hash: 3

Languages:
rust, golang

#ParsedReport
16-12-2022

Backdoor Targets FreePBX Asterisk Management Portal

https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-management-portal.html

Geo:
Deutschland

IOCs:
IP: 1
Hash: 1
File: 1

Softs:
freepbx, wordpress, mysql, cpanel

Algorithms:
base64

Languages:
php, javascript

#ParsedReport
16-12-2022

Dark Web Profile: Killnet Russian Hacktivist Group

https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group

Actors/Campaigns:
Killnet (motivation: financially_motivated, hacktivism)
Xaknet (motivation: hacktivism)
Zarya (motivation: hacktivism)
Anonymous_russia (motivation: hacktivism)
Dpr_joker (motivation: hacktivism)
Beregini (motivation: hacktivism)
Rahdit (motivation: hacktivism)
Noname057 (motivation: hacktivism)
Zsecnet (motivation: hacktivism)

Threats:
Killmilk_actor
Joker
Orbit_technique
Cannon
Karma

Industry:
Transport, Government, Aerospace, Telco, Financial, Healthcare

Geo:
Poland, Italy, Japan, Romania, London, Ukrainian, Germany, Ukraines, Indiana, Russia, Norwegian, Estonia, Ukraine, Italian, Romanian, Russian, Lithuania, Czech, American

TTPs:
Tactics: 3
Technics: 5

Softs:
telegram, teamspeak

#ParsedReport
19-12-2022

Veeam Fixes Critical Vulnerabilities in Backup & Replication Software (CVE-2022-26500 & CVE-2022-26501)

https://socradar.io/veeam-fixes-critical-vulnerabilities-in-backup-replication-software-cve-2022-26500-cve-2022-26501

Threats:
Monti
Yanluowang
Empire_loader

CVEs:
CVE-2022-26500 [Vulners]
Vulners: Score: 6.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)

CVE-2022-26501 [Vulners]
Vulners: Score: 10.0, CVSS: 2.0,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (<10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)

CVE-2022-265001 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown


IOCs:
File: 4
Hash: 3
IP: 1

Languages:
python

#ParsedReport
19-12-2022

Ducklogs: A Malware-as-a-Service Comes With Multifold Functionalities

https://www.secureblink.com/threat-research/ducklogs-a-malware-as-a-service-comes-with-multifold-functionalities

Threats:
Ducklogs
Process_hollowing_technique

Softs:
telegram

#ParsedReport
19-12-2022

Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government

https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government

Actors/Campaigns:
Unc4166 (motivation: information_theft)
Fancy_bear

Threats:
Stowaway_tool
Beacon
Sparepart
Eternal_petya
Cobalt_strike
Process_injection_technique

Industry:
Government

Geo:
Ukrainian, Russian

TTPs:
Tactics: 7
Technics: 22

IOCs:
File: 13
Hash: 14
Url: 6
Path: 11
Command: 4
Domain: 5
IP: 2

Softs:
curl, windows service, windows image

Algorithms:
zip

Win API:
GetSystemFirmwareTable, DriveType

Languages:
visual_basic

Platforms:
x64

Links:
https://github.com/ethanpil/sheret
https://github.com/microsoft/Windows-universal-samples/blob/main/Samples/CustomCapability/Service/Client/smbios.cpp
https://gist.github.com/poudyalanil/ed1a7ed5603805833ca41cbaccefe0d5
https://github.com/DeltoidDelta/Remove-MS-Telemetry-and-Annoyances/blob/master/remove\_MS\_telemetry.cmd
https://github.com/ph4ntonn/Stowaway

#ParsedReport
19-12-2022

Flying Phish. Timeline

https://www.domaintools.com/resources/blog/flying-phish

Threats:
Cyberchef_tool
Credential_harvesting_technique
Procmon_tool

Industry:
Telco, E-commerce

Geo:
Chinese

IOCs:
Domain: 8
Email: 8
IP: 1
File: 8
Hash: 5
Url: 2

Softs:
discord, instagram

Algorithms:
base64, zip

Languages:
php

Platforms:
intel

YARA: Found

Links:
https://github.com/DomainTools/SecuritySnacks/tree/main/2022/Flying%20Phish

#ParsedReport
19-12-2022

Iran-linked Charming Kitten espionage gang bares claws to pollies, power orgs

https://www.proofpoint.com/us/newsroom/news/iran-linked-charming-kitten-espionage-gang-bares-claws-pollies-power-orgs

Actors/Campaigns:
Cleaver (motivation: hacktivism, information_theft, cyber_espionage)
Phosphorus
Irgc (motivation: cyber_espionage)
Bec

Threats:
Beacon
Credential_harvesting_technique
Ghostecho
Quantum_locker
Revil
Wannacry

Industry:
Government, Energy, Education, Healthcare, Aerospace

Geo:
Iranian, Tehran, American, Iran, Iranians, Emea, Israel

IOCs:
Domain: 2

Platforms:
intel, arm

#ParsedReport
19-12-2022

CVE-2022-41040 and CVE-2022-41082 zero-days in MS Exchange

https://securelist.com/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange/108364

Threats:
Proxynotshell_vuln
Proxyshell_vuln
Dllhijacker
Trojan.win64.agent.qwibok
Dll_hijacking_technique

CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)

CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)


IOCs:
File: 4
IP: 1
Hash: 5

Softs:
microsoft exchange server, microsoft exchange

Languages:
python

#ParsedReport
19-12-2022

SentinelSneak: Malicious PyPI module poses as security software development kit

https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk

Actors/Campaigns:
Iconburst

Threats:
Sentinelsneak
Typosquatting_technique
W4sp

Geo:
German

IOCs:
IP: 1
Hash: 48

Languages:
ruby, javascript, python

Links:
https://github.com/javascript-obfuscator/javascript-obfuscator

#ParsedReport
20-12-2022

Lazarus APTs Operation Interception Uses Signed Binary

https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary

Actors/Campaigns:
Lazarus

IOCs:
File: 2
Hash: 1

Softs:
macos, coinbase, microsoft word, curl

Functions:
startDaemon, DownloadFile, curl_easy_init, curl_easy_setopt

Platforms:
apple, intel, arm

#ParsedReport
20-12-2022

Nokoyawa Ransomware: Rust orBust. Key Points

https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust

Actors/Campaigns:
Blackcat

Threats:
Nokoyawa
Karma
Nemty
Hive
Blackcat

Industry:
Financial

IOCs:
Hash: 3

Algorithms:
curve25519, salsa20, base64, ecc, sect233r1

Languages:
rust, golang

Links:
https://github.com/threatlabz/tools/tree/main/nokoyawa
https://github.com/kokke/tiny-ECDH-c

#ParsedReport
20-12-2022

Raspberry Robin Malware Targets Telecom, Governments

https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html

Threats:
Raspberry_robin
Browserassistant
Uacme
Uac_bypass_technique
Lockbit

Industry:
Government, Telco

Geo:
Australia, Oceania, America

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 9
Registry: 3
Path: 1
Hash: 1

Softs:
windows installer, windows shell, (windows installer)

Algorithms:
rc4

#ParsedReport
20-12-2022

GodFather Malware Returns Targeting Banking Users

https://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users

Threats:
Godfather

Industry:
Financial

Geo:
Turkish, Turkey

TTPs:
Tactics: 4
Technics: 6

IOCs:
Hash: 21
Url: 1

Softs:
android, telegram

#ParsedReport
20-12-2022

ASEC (20221212 \~ 20221218). ASEC Weekly Malware Statistics (20221212 \~ 20221218)

https://asec.ahnlab.com/ko/44565

Actors/Campaigns:
Ta505

Threats:
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Amadey
Lockbit
Gandcrab
Clop
Formbook
Clipboard_grabbing_technique

Industry:
Transport

Geo:
Korea

IOCs:
File: 14
Domain: 8
Url: 20
Email: 4

Softs:
telegram

#ParsedReport
20-12-2022

Cisco Talos Intelligence Blog. Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins

https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins

Actors/Campaigns:
Stone_panda (motivation: cyber_espionage)
Ta410 (motivation: cyber_espionage)
Donot
Carbanak (motivation: financially_motivated)

Threats:
Motw_bypass_technique
Meterpreter_tool
Dridex
Formbook
Anel
Process_injection_technique
Buer_loader
Agent_tesla
Vidar_stealer
Nanocore_rat
Icedid
Arkei_stealer
Asyncrat_rat
Bazarbackdoor
Avemaria_rat
Lokibot_stealer
Ducktail_stealer

Industry:
Education, Government, Healthcare

Geo:
Pakistan, Japan, India, Vietnam, China, Russia, Hungarian, Budapest, Africa, Pakistani

IOCs:
Registry: 1
File: 12
Hash: 11
Url: 1

Softs:
microsoft office, visual basic for applications, windows explorer, microsoft excel, net framework, discord

Algorithms:
aes, base32

YARA: Found

Links:
https://github.com/Cisco-Talos/osquery\_queries/blob/master/win\_malware/donot\_mutex.yaml
https://github.com/Cisco-Talos/IOCs/blob/main/2022/12/xlling-in-excel-malicious-add-ins.txt
https://github.com/Cisco-Talos/osquery\_queries/blob/master/win\_malware/malware\_avemaria\_filepath.yaml
https://github.com/Cisco-Talos/osquery\_queries/blob/master/win\_malware/malware\_lokibot\_filepath.yaml

#ParsedReport
20-12-2022

Russias Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine

https://unit42.paloaltonetworks.com/trident-ursa

Actors/Campaigns:
Gamaredon

Threats:
Mispadu
Fastflux_technique
Beacon

Industry:
Petroleum, Government

Geo:
Apac, Russian, Russia, Ukrainian, Emea, America, Japan, Ukraine

IOCs:
Hash: 12
Domain: 7
Url: 10
IP: 3
File: 9
Path: 3

Softs:
telegram, windows scheduled task, mac os

Algorithms:
xor, base64

Functions:
GetSynchronization-USA

Win API:
CreateProcessA

Platforms:
intel, x64

Links:
https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon\_IoCs\_DEC2022.txt

#technique

Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and won't raise suspicious) and stealing one of its sockets to perform the network operations.

https://github.com/Idov31/Venom

#technique

Разбор Vidar

https://github.com/m4now4r/VidarStealer

#ParsedReport
21-12-2022

New Supply Chain Attack Uses Python Package Index aioconsol

https://www.fortinet.com/blog/threat-research/new-supply-chain-attack-uses-python-package-index-aioconsol

Threats:
W32/agent.ahp!tr

IOCs:
File: 4
Hash: 2
Path: 2
IP: 4

Languages:
python

#ParsedReport
21-12-2022

Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans

http://www.zscaler.com/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans

Threats:
Solarmarker

Industry:
E-commerce, Financial, Aerospace

Geo:
Tokyo, Qatar, Africa

IOCs:
Domain: 29
Hash: 10

Softs:
wordpress, windows installer, joomla)

Languages:
javascript, php